Is there an alternatives to fail2ban?
I always used fail2ban with my CentOS box but now with CentOS 6 I'm not able to get it to work again.
Service starts without error, all is configured ok, no error on logs but fail2ban doesn't ban anyone on my box.
Is there an alternative software to fail2ban with similar functionalities?
I need to ban IP that fails auth on squirrelmail (I have installed squirrel_logger), on php, on apache and on phpmyadmin, ah and dovecot.
15 Replies
its really sad to see a good software like this to fail in this way.
Four years without any new features, three years without a decent fix to major problem, two years and no fix to phyton compatibility problems, board is full of spam without any moderation.
Its a dead software but I don't see any alternatives.
The only one could be denyhosts but it isn't an alternatives, at all, since it only protect the ssh port.
I know on Debian 6.0, fail2ban works just fine with python 2.6.6
@waldo:
Looks like Python 2.6 should work with the latest version of Fail2ban:
http://www.fail2ban.org/wiki/index.php/ … d_older.29">http://www.fail2ban.org/wiki/index.php/Fail2ban:CommunityPortal#Python2.6support.28relevantonlyfor0.8.3and_older.29 I know on Debian 6.0, fail2ban works just fine with python 2.6.6
On the net I find only complaints about fail2ban and Python 2.6, the only regexpr that works ok is the one for SSH.
Probably the debian you are talking about uses only ssh protection.
Seeing how fail2ban, python 2.6 and all just worked right out of the box for me on Debian, I'm assuming the others work just fine.
@waldo:
That's primarily all I use it for, but as far as I can tell, the Debian guys have filters for apache, courier, exmin, gssftpd, lighttpd, pam, postfix, pure-ftpd, gmail, sasl, sieve, sshd-ddos, sshd, vsftpd, webmin-auth, wuftpd, xinetd and a few others.
Seeing how fail2ban, python 2.6 and all just worked right out of the box for me on Debian, I'm assuming the others work just fine.
can you give me some output of fail2ban-regexpr with some of your filter.d/files ?
If you download:
from:
Then dig into config/filter.d those are the same files I'm using. From what I can tell, it appears the Debian maintainer has modified the following files in the package:
action.d/iptables-multiport.conf
action.d/iptables-new.conf
action.d/mail-whois-lines.conf
action.d/iptables-all-ports.conf
jail.conf
filter.d/apache-nohome.conf
filter.d/named-refused.conf
filter.d/apache-badbots.conf
filter.d/proftpd.conf
filter.d/pure-ftpd.conf
filter.d/wuftpd.conf
filter.d/common.conf
filter.d/ssdh-ddos.conf
filter.d/pam-generic.conf
filter.d/sasl.conf
regexpr are correct (checked with regexpr calculator for python), fail2ban is well configured and it doesn't match anything.
I have founded dozens of other users with my same problem on the net, it could be interesting to see how debian modified that files to make it work.
in any case this is a dead software since many years, its best to find a new one but the problem is that I cannot find an alternatives.
Sure the last release was 2 years ago:
Perhaps it's mature and because of it's very nature doesn't need to be constantly updated. It just reads log files and runs some external commands (usually to make changes to standard firewalls, like iptables). You do have a firewall installed, right?
If you've installed fail2ban from the Centos repository and it's not working, sounds like they broke something, or the package maintainer never tested….
This is the only browsable repo I can find for Centos:
Looks like the newest version of fail2ban available from the Centos repos is quite old
Though Fedora is current:
I'd check to see what version of fail2ban got installed on your server.
@waldo:
Why do you say it's dead? Because it's not in constant development with regular releases?
Sure the last release was 2 years ago:
http://www.fail2ban.org/wiki/index.php/Main_Page Perhaps it's mature and because of it's very nature doesn't need to be constantly updated. It just reads log files and runs some external commands (usually to make changes to standard firewalls, like iptables). You do have a firewall installed, right?
If you've installed fail2ban from the Centos repository and it's not working, sounds like they broke something, or the package maintainer never tested….
This is the only browsable repo I can find for Centos:
http://pkgs.repoforge.org/fail2ban/ Looks like the newest version of fail2ban available from the Centos repos is quite old
Though Fedora is current:
http://download.fedora.redhat.com/pub/e … l2ban.html">http://download.fedora.redhat.com/pub/epel/6/x86_64/repoview/fail2ban.html I'd check to see what version of fail2ban got installed on your server.
I'm using the latest 0.8.4 from fedora epel
My personal favorite. And yes, it can do squirrelmail as I wrote a rule for it some time ago.
I solved by editing:
/etc/fail2ban/filter.d/common.conf
and changing
prefixline = \s(?:\S+ )?(?:@vserver\S+ )?%(daemoncombsre)s?\s
with this:
_prefixline = .*?
@haus:
There's always the LFD component of CSF:
http://www.configserver.com/cp/csf.html My personal favorite. And yes, it can do squirrelmail as I wrote a rule for it some time ago.
Agreed, I love CSF/LFD.
man fail2ban-regex for usage.
sudo ufw limit ssh
It even works for rating limiting smtp or pop/imap logins, which are the new attack vector of brute forcing. (Or port 80, or whatever you want.)
stmiller@li166-66:~$ sudo ufw status
[sudo] password for stmiller:
Status: active
To Action From
-- ------ ----
22 LIMIT Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
993 LIMIT Anywhere
465 LIMIT Anywhere
25 LIMIT Anywhere
By default this will deny connections of an IP if 6 or more logins are attempted in the last 30 seconds. Though you can customize as desired.